DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 2/19/2021 has been entered.

Response to Amendment / Arguments
Regarding claims rejected under 35 USC 103:
Applicant’s arguments, in view of the amended claims, have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Coon (US 2013/0104022 A1).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Buis (US 2018/0211258 A1) in view of Belton (US 2013/0333002 A1), Xu (US 2020/0074148 A1), and Coon (US 2013/0104022 A1).

Regarding claim 1, Buis discloses: A method for persistent authentication of a registered user of a user device, the method comprising: 
on the user device, of a primary network browsing session for sending and receiving information over a network, receiving, by the user device, primary authentication information associated with the registered user of the user device; 
Refer at least the abstract and 805 in FIG. 8 of Buis with respect to an online transaction.
Refer to at least [0063] and [0077] of Buis with respect to registering authentication information and personal information between a user device and server.
during the primary network browsing session or during a subsequent network browsing session, detecting, on the user device, an input field and identifying the input field as requesting sensitive user information; 
Refer to at least 810 in FIG. 8 and [0041] of Buis with respect to detecting, e.g., credit card information fields. 
if the primary verification message has been received, initiating, by the user device, a camera associated with the user device to capture a secondary authentication image of the current user operating the device; 
transmitting, by the user device, to a server, a secondary authentication request including the secondary authentication image; 
Refer to at least [0027] of Buis with respect to support for facial biometric usage.
Refer to at least [0061] of Buis with respect to transmitting an authentication request with biometric information of the user to a server for verification.
comparing, by the server, the secondary authentication image facial mapping to stored user information; 
determining, by the server, that the secondary authentication image facial mapping matches the stored user information; 
receiving, by the user device, from the server, a secondary verification message indicating that the user is authenticated based on the secondary authentication image or a failure message indicating that the user is not authenticated based on the secondary authentication image; and 
Refer to at least the abstract, 820-835 in FIG. 8, and [0062] of Buis with respect to the server verifying the authentication request and associated provision of autofill information.
if the secondary verification message is received, populating the input field with a tokenized version of the sensitive user information requested by the input field.
Refer to at least FIG. 5-6, FIG. 7, 840-845 in FIG. 8, and [0068] of Buis with respect to autofilling, e.g., credit card information with masked values responsive to a successful verification.
Buis does not fully disclose: following the initiation, transmitting, by the user device, to a server, a primary authentication request including the primary authentication information and a hardware identifier associated with the user device; and the hardware identifier; receiving, by the user device, from the server, a primary verification message; determining, by the user device, that the primary verification message has been received; processing, by the server, the secondary authentication image to generate a secondary authentication image facial mapping; a probability; if the probability exceeds a threshold; if the probability is less than a threshold; if the failure message is received, disabling the detection of the input field and the identification of the input field as requesting sensitive user information. However, Buis in view of Belton discloses: following the initiation, transmitting, by the user device, to a server, a primary authentication request including the primary authentication information and a hardware identifier associated with the user device; and the hardware identifier; receiving, by the user device, from the server, a primary verification message; determining, by the user device, that the primary verification message has been received;
Refer to at least the abstract, [0007]-[0008], [0032], [0042]-[0043], [0052], and [0078]-[0079] of Belton with respect to a first and second authentication and use of identifier information for said authentications.
if the failure message is received;
Refer to at least 414 in FIG. 4 and [0067] of Belton with respect to retrying authentication if the authentication via second technique fails.
Further, Buis-Belton in view of Xu discloses: processing, by the server, the secondary authentication image to generate a secondary authentication image facial mapping; a probability; if the probability exceeds a threshold; if the probability is less than a threshold.
Refer to at least FIG. 5-7 of Xu with respect to obtaining, processing, and comparing user facial images to stored images and further obtaining a similarity threshold; authentication based on the threshold. 
Finally, Buis-Belton-Xu in view of Coon discloses: if the failure message is received, disabling the detection of the input field and the identification of the input field as requesting sensitive user information.
Refer to at least steps 1630-1680 in FIG. 16, [0012], and [0180] of Coon, wherein an autofill browser function is disabled and not reactivated until successful authentication is performed. For instance, disabling the autofill responsive to looping back to 406 in FIG. 4 of Belton as a security condition.

Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Buis to further include dynamic first and second authentication for at least the reasons discussed in the abstract and [0004] of Belton. It further would have been obvious to modify the teachings to include use of a similarity threshold because the substitution of one known element for another would have yielded predictable results to one of ordinary skill in the art at the time (i.e., the implementation of biometric matching—the specific algorithm used to match facial biometrics). Finally, it would have been obvious to modify the teachings to include disabling autofill responsive to a failure of authentication for at least the purpose of preventing leakage of private data under unverified circumstances. 

Regarding claim 2, Buis-Belton-Xu-Coon discloses: The method of claim 1, wherein the step of transmitting the primary authentication request further includes determining a primary authentication internet protocol address of the user device indicating the internet protocol address of the user device at the time of the primary authentication request, and including the determined primary authentication internet protocol address of the user device in the primary authentication request; wherein the step of transmitting the secondary authentication request further includes determining a secondary authentication internet protocol address of the user device indicating the internet protocol address of the user device at the time of the secondary authentication request, and including the determined secondary authentication internet protocol address of the user device in the secondary authentication request; and wherein the secondary verification message or failure message is further based on a comparison of the primary authentication internet protocol address of the user device and the secondary authentication internet protocol address of the user device.
Refer to at least [0032], [0052], and [0078]-[0079] of Belton with respect to IP address and other identifying information used for authentication.
This claim would have been obvious for substantially the same reasons as claim 1 above.

Regarding claim 3, Buis-Belton-Xu-Coon discloses: The method of claim 1, further comprising: at the initiation of a subsequent network browsing session, initiating, by the user device, the camera associated with the user device to capture a browsing session image of the user; and transmitting, by the user device, to the server, the browsing session image of the user; wherein the secondary verification message or failure message is further based on a comparison of the browsing session image and the secondary authentication image.
Refer to at least [0038], [0053], and [0061]-[0062] of Buis with respect to a form of claimed capturing. 

Regarding claim 4, Buis-Belton-Xu-Coon discloses: The method of claim 1, wherein the initiation of the camera associated with the user device includes displaying, on a display of the user device, a prompt for the user to enter a command for the camera to capture the secondary authentication image.
Refer to at least [0044] of Xu with respect to prompting a user for biometric information. 
This claim would have been obvious for substantially the same reasons as claim 1 above.

Regarding claim 5, Buis-Belton-Xu-Coon discloses: The method of claim 1, further comprising, if the failure message is received, declining to populate the input field.
Refer to at least [0043] of Buis with respect to a denying automatic filling. 

Regarding claim 6, Buis-Belton-Xu-Coon discloses: The method of claim 1, further comprising, if the failure message is received, prompting the user to submit the primary authentication information; transmitting, by the user device, to the server, an additional primary authentication request including the resubmitted primary authentication information; receiving, by the user device, from the server, an additional primary verification message including a tokenized version of the sensitive user information requested by the input field; and if the additional primary verification message is received, populating the input field with the tokenized sensitive user information.
Refer to at least [0046] of Buis and to at least [0039] of Belton with respect to re-authentication after failure.
This claim would have been obvious for substantially the same reasons as claim 1 above.

Regarding claims 7-8, they are rejected for substantially the same reasons as claim 1 above (i.e., the citations: e.g., [0035] of Belton).

Regarding claim 9, Buis-Belton-Xu-Coon discloses: The method of claim 1, wherein the secondary verification message includes the tokenized version of the sensitive user information.
Refer to at least [0068] and [0083] of Buis with respect to obtaining masked CC info. 

Regarding claim 10, Buis-Belton-Xu-Coon discloses: The method of claim 1, wherein the secondary verification message includes a call to a local memory of the user device storing the tokenized version of the sensitive user information.
Refer to at least [0042] and [0053] of Buis with respect to the user device and masked CC info.

Regarding claims 11-12, they are rejected for substantially the same reasons as claim 1 above (i.e., the citations: e.g., FIG. 5-6 of Buis).

Regarding independent claim 13, it is substantially similar to independent claim 1 above, and is therefore likewise rejected for substantially the same reasons (i.e., the citations and obviousness rationale). 

Regarding claim 14, it is substantially similar to claim 6 above, and is therefore likewise rejected.

Regarding claims 15-19, they are substantially similar to claims 2-12 above, and are therefore likewise rejected. 

Regarding independent claim 20, it is substantially similar to independent claim 1 above, and is therefore likewise rejected for substantially the same reasons (i.e., the citations and obviousness rationale). 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.


Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        





/V.S/Examiner, Art Unit 2432